Cisco NAT problem (on a pix)

[DJMK4]

Hi all,

I am trying to set-up a static one-to-one NAT but it only seems half working, I cant quite put my finger on the issue, basically

What I want is for an outside public IP x.x.x.x to be natted to an internal IP 192.168.0.14, over port 80 and 443

So, address objects have been created

name x.x.x.x asw2_ext
name 192.168.0.14 calendars.blah.net

I have then created the access-list rules

access-list outside_access_in permit tcp any host asw2_ext eq www
access-list outside_access_in permit tcp any host asw2_ext eq https

and the following one-to-one static NAT entry has been created

static (inside,outside) asw2_ext calendars.blah.net netmask 255.255.255.255 0 0

So this should work, the I have checked with him, he can get to it over http but nothing is happening over https.

I have also done a port scan online, it can see http open but not https for the public IP.

I have asked him to verify any other services on this firewall which I could check to see if they have a similar set-up, there are a few similar ones which also use http and https ports, but for outside/inside details, but apart from that I cant see anything else which could be causing it.

Would there be anything else required apart from the above? what would be the best way to debug why http would be working, but not https?

 

[#Chri5#]

Software firewall on the device you are NATing to?

 

[derfderfley]

It looks fine, but posting a sanitized version of the config will make it easier to spot any gotchas.

A few questions;

Pix or ASA and software version?
Is the external address used the same as the WAN interface address?
PDM/ASDM enabled on the device?

 

[madman045]

If the PIX is anything like the ASA's, then by default management is on https

if you enter https://public IP from an external source, what does it return?

 

[DJMK4]

Thats a good point actually should have thought of that, although I have a strange feeling this may also not be the case, I cant test until tomorrow now though.

Other than that I have been through the config a good few times, analyzing, comparing rule entries but can't quite pin-point it.

Will see what sort of response I get tomorrow

Most of our customer base are on ASAs but we still have some pix's out there

The outside object IP I created differs from that of the WAN IP of the firewall, its similar its just an address plucked out the same range to use.

What other details do you need? the config is mid size but would have to sanatise quite a bit

 

[derfderfley]

If your not using the same IP address as the WAN interface it shouldn't be the PDM interface getting in the way.

Have you tried setting up a packet capture, to see if the packets are passing the PIX but not getting a response from the server?
Been a while since I've had to debug a problem on a PIX so I've just linked to the cisco docs for it rather than trying to remember how it works on the PIX. I seem to remember it's close but not quite the same as the ASA 'capture' command. Capture command on pix running 6.35

 

[DJMK4]

Cheers yeah was going to do some packet captures tomorrow morning so will check out that link, in the meantime I have requested him check the end device for any potential blocking on that port

Will let you know how things go tomorrow

 

[DJMK4]

Ah, update, glad it was not my fault

turns out the guy gave me the wrong internal IP 192.168.0.8 not 192.168.0.14, typical

 

[derfderfley]

Ah, update, glad it was not my fault

turns out the guy gave me the wrong internal IP 192.168.0.8 not 192.168.0.14, typical

Fun isn't it?
Lost half a day this week debugging the checkpoint end of a VPN tunnel, and the other guy had his subnet wrong (at the other end) and then didn't change it when it was pointed out.

Still all good practise, I've spend much more time on Cisco ASA's than on Checkpoint kit over the last year, so it all comes in handy for refreshing your skills.